jcs.org / sockhole
decrypting SOCKS proxy
fork atom

README.md: Add

jcs.org 6a6fdfda 12ee8f6e

+57
+57
README.md
··· 1 + ## sockhole 2 + 3 + `sockhole` is a decrypting 4 + [SOCKS](https://en.wikipedia.org/wiki/SOCKS) 5 + proxy. 6 + When it receives a request to make a connection to a port listed in its 7 + `TLS_PORTS` list, it will establish the encrypted connection itself, verify the 8 + TLS certificate, and then proxy decrypted data to the client as if the 9 + connection were made to a plaintext service. 10 + 11 + This is intended to support old software/equipment which supports SOCKS proxies 12 + but does not support SSL/TLS or modern ciphers. 13 + That software can establish a plaintext connection over a trusted LAN 14 + connection to a local machine running `sockhole`, and the `sockhole` proxy can 15 + establish a secure tunnel over the public internet. 16 + 17 + For example, a computer running a POP3 client with SOCKS proxy support but no 18 + SSL support can connect to a remote POP3 server over TLS just by switching the 19 + port configured in the POP3 client to 995 (POP3S). 20 + 21 + ### Installation 22 + 23 + server$ bundle install --path vendor/bundle 24 + 25 + ### Use 26 + 27 + server$ bundle exec ruby sockhole.rb 28 + 29 + ### Client Examples 30 + 31 + #### Curl 32 + 33 + `curl` should be instructed to use the `http` protocol on port 443, not 34 + `https`, or else it will expect encrypted data to come through the SOCKS proxy. 35 + However, when specifying a URL of `http://example.com:443/`, `curl` will send a 36 + header of `Host: example.com:443` which may cause problems on the server end 37 + with it not matching a configured virtual host. 38 + The `-H` option can be used to override the sent `Host` header to remove the 39 + port: 40 + 41 + server$ bundle exec ruby sockhole.rb 42 + [2020-11-12 08:47:24 -0600] [I] [server] listening on 192.168.1.1:1080 43 + 44 + client$ curl -H "Host: example.com" --preproxy socks5h://192.168.1.1 http://example.com:443/ 45 + <!doctype html> 46 + ... 47 + 48 + When connecting to a TLS host with an invalid certificate, `sockhole` will reject 49 + the client before it sends any data. 50 + 51 + client$ curl -H "Host: wrong.host.badssl.com" --preproxy socks5h://192.168.1.1 http://wrong.host.badssl.com:443/ 52 + curl: (97) connection to proxy closed 53 + 54 + #### nc 55 + 56 + client$ nc -x 192.168.1.1 imap.fastmail.com imaps 57 + * OK IMAP4 ready